Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72025
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.179 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <CAGa2bXYJRUP58x_XSHgXBy0L0Yiprw=UP-suspWtVqkvYHKC2g@mail.gmail.com>
References: <CAGa2bXbq1ttBz+hSk20-CkKWvDdHr5+8bBmc04Q22i7K2VSs+A@mail.gmail.com>
	<52EDF552.4010208@divbyzero.net>
	<CAGa2bXYJRUP58x_XSHgXBy0L0Yiprw=UP-suspWtVqkvYHKC2g@mail.gmail.com>
Date: Mon, 3 Feb 2014 07:55:04 +0800
Message-ID: <CAHMUw2FQ9vHtROk9NZf8Kwd7O2V3Z1uodu29NZOfDAp0B8M+yQ@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Martin Jansen <martin@divbyzero.net>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=bcaec548a15bd9b61e04f1752298
Subject: Re: [PHP-DEV] Extending uniqid() or not?
From: tjerk.meesters@gmail.com (Tjerk Meesters)

--bcaec548a15bd9b61e04f1752298
Content-Type: text/plain; charset=ISO-8859-1

On Sun, Feb 2, 2014 at 6:12 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> On Sun, Feb 2, 2014 at 4:35 PM, Martin Jansen <martin@divbyzero.net>
> wrote:
>
> > On 02.02.14 05:32, Yasuo Ohgaki wrote:
> > >  string safe_uniqid([ing $length=64])
> > >
> > > It generate ID using good RNG such as /dev/urandom, /dev/arandom for
> > > UNIXes, openssl RNG for Windows when they are available. It does not
> use
> > > hash function, but simply convert RNG binary data into text. The same
> > > algorithm that is used for session ID may be used. (Use
> > > hash_bits_per_character=5, since it only contains alphanumeric chars)
> > Since
> > > it does not use hash, it's fast.
> > >
> > > Any comments? Any good names?
> >
> > The documentation for uniqid() is pretty clear about the fact that it's
> > not cryptographically secure and recomends openssl_random_pseudo_bytes()
> > as a replacement. Shouldn't we just try to come up with sane default
> > values for its $length parameter instead of adding yet another new
> > function?
> >
>
> I added the warning to the doc recently.
>
> I see codes that uses uniqid() as a source of safe unique id generation
> using
> hash functions which is not secure in fact.
>
> We are better to provide easy to use safe unique ID generation function to
> prevent this kind of usage even if user could do in user land. Writing a
> portable one is not simple enough.
>
> > string safe_uniqid([ing $length=64])
>
> Sorry, there is typo and option should be descriptive. It should be
>
> string safe_uniqid([int $length_of_returned_unique_id_string=64');
>
> This function is totally different from current uniqid().
> I don't like the name. I hope some one think of good name for it.
>
> > P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's
> > good
> > > for PHP.
> > > http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
> >
> > There's http://pecl.php.net/package/uuid.
>
>
> It uses ext2 UUID. Isn' it only available for linux, is it?
> It' a LGPL license also. It's not preferred license for core...
>

I think it would be good enough to have only uuid v4:

function uuidv4()
{
    $data = openssl_random_pseudo_bytes(16); // or whatever

    $data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010
    $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10

    return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
}

It's really just a representation of random data, whereby 6 bits are used
for the actual format.


> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>



-- 
--
Tjerk

--bcaec548a15bd9b61e04f1752298--